RIYADI DOT CO DOT NR »

Update Blog

Udah cukup lama saya vacum di dunia blog, dengan segala kegiatan yang menguras tenaga saya. Sehingga tidak bisa menyempatkan waktu hanya 2 menit atau 5 menit untuk update blog ini He He He He.

Untuk itu sekarang saya ingin update blog ini demi kemajuan IT yang saya miliki ataupun IT yang saya ketahui saat ini. Salam Dunia IT dan semoga IT Di Indonesia selalu berkembang, Amin.

Ditulis Oleh Riyadi, Saturday, December 20, 2008 7:08:00 AM | 0 comments |

Setting up Mandrake 10.1 as a Firewall 3

Basic Web Services
So far we have setup a basic firewall that allows you to share the Internet connection, as well as protect your network from Internet traffic. Now we will enhance the Firewall with Services that will allow for easy client setup, improve your Internet speed and filter out undesirable web pages or content that you may wish to remove. Ordinarily, companies charge quite a bit of money to provide these services (especially for content filtering), but here I will discuss how to setup these services using Mandrake Linux and it's web interface.

DHCP and Caching DNS
To automate the configuration of your network clients, you can enable the DHCP server service available on the firewall. DHCP (Dynamic Host Configuration Protocol) allows you to have the firewall automatically send the computers on your LAN the correct IP configuration values during bootup. So, instead of going to each machine and entering a separate IP address, subnet, DNS server and gateway machine, you can have the LAN computers get this information from your firewall. To set this service up, click on DHCP and enter the relevant information, it is pretty self explanatory.
To alleviate excess DNS lookups over your Internet connection, you can setup the firewall to act as a DNS server for your LAN. Doing this will enable the firewall to "cache" all of the nameserver lookups, so if multiple clients try to find the IP address for the same domain name, such as http://www.google.com/, the firewall will send the correct information without needing to access your Internet Service Provider's DNS server.

To enable the Caching DNS service, you simply need to enter the IP address of a forwarding DNS server. This will allow the firewall to query that DNS server if it does not have the information in it's cache. If for some reason the DNS service fails to start or gets mis-configured, simply shut off the service, login to the firewall and move the /etc/named.conf file to something else, such as /etc/named.bak and re-enable the service. The software will re-create a correct /etc/named.conf file to allow the service to work again.

Note: If you run a network utilizing Microsoft Active Directory, Microsoft Exchange Server, or any other newer Microsoft Server, you must utilize Microsoft's DHCP and DNS Services, otherwise you will have severe network slowdowns and communication errors.

Web Proxy and Filtering
One way to really speed up your Internet service is to provide a way to "cache" web pages at the firewall so that if multiple users go to the same sites, most of the images and other information will be retrieved from the firewall instead of the remote Web Server. Also when you implement a proxy or "caching" service, you can also utilize a site/content filter to deny access to certain remote sites, such as pornography or content, such as ads. Many companies produce products that will do this type of filtering, however, these products are quite expensive and IMO are no better than what the OSS community offers with these tools.

Another benefit of a Proxy or "Caching" Server is the ability to only provide Internet Access to people "authenticated" to use the Internet. Mandrake offers the ability to provide a "transparent" proxy, manual proxy or manual "authenticating" proxy using either locally created usernames, an LDAP user database or a SMB (Windows Domain) user database.

The "transparent" settings are just about the same as a "manual" setting, except that it simply adds a "Redirect" to port 3328 rule to your Shorewall settings for traffic coming from the LAN. So, I guess you could even have a "transparent authenticating" proxy if you really need one.
Using the web interface it is quite easy to enable the proxy server, simply click on the Web Proxy settings, then select the type of proxy, either manual, manual authenticating or transparent. The easiest is "transparent" because you will not have to adjust any settings on your clients to be able to use the proxy server, it will simply "just work".

Once you setup and enable the Web Proxy, you will notice that you now have the opportunity to configure both a URL Filter (SquidGuard) and a Content Filter (Dansguardian). When you start to implement each of these services, it is best to do things a step at a time, any misconfiguration could lead to your LAN computers not being able to access the Internet at all.

For those wishing to enable Squidguard here are a few tips. First, make sure you add your local network to the authorized network list (i.e. 192.168.0.0/24). If you plan to block quite a few sites, do not use the web based tools, instead go to a command line and manually add whatever you want to the database through simple text files. An easy way to do this would be to download an updated blacklists file from squidguard.org. Then, once these are downloaded, uncompress them in the root (/root) directory and add the contents of whatever list you want to ban to one the following files:

/usr/share/squidGuard-1.2.0/db/advertising/urls
/usr/share/squidGuard-1.2.0/db/advertising/domains
/usr/share/squidGuard-1.2.0/db/banneddestination/urls
/usr/share/squidGuard-1.2.0/db/banneddestination/domains
/usr/share/squidGuard-1.2.0/db/banneddestination/expressionsyou can do this with vi by "reading" the file in using the ":r /path/to/filename" command. The advertising directory will replace advertising content with a small dot(so an annoying error box will not show up), while the banneddestination directory will deny all access to the specified sites. Once this is done, you must change these text files to a SquidGuard database by issuing:

squidGuard -C allOne more thing, make sure that squid is both the owner and group of these files by executing the following command:

chown squid.squid /usr/share/squidGuard-1.2.0/db -RYour Proxy Server will now block these sites (after you restart squid). Unfortunately, there is another bug we must fix, so the "denied page" is not an access denied to the squidguard.cgi file, but instead the nice, somewhat informative blue/green Mandrake denied page.

To fix this you must edit the "/etc/httpd/conf/commonhttpd2-naat.conf" file. Toward the end of the file, it will list the "/var/www-naat/cgi-bin" directory. You must add the following so the web server will have permission to use the SquidGuard cgi-bin directory.

AllowOverride All
Options ExecCGI

Order allow,deny
Allow from all

Finally, if you ever (accidentally) go back to the banned destination configuration page through the web interface, you must once again recreate the databases and change the ownership manually. As for configuring Dansguardian, please visit their website at http://www.dansguardian.org. In my experience, SquidGuard seems to be enough of a deterrent that Dansguardian is not needed.

Intrusion Detection
Using the web interface, you can enable both Snort and Prelude Intrusion Detection Systems. These IDS services work quite well, unfortunately, when you have an IDS on a computer directly connected to the Internet you will get quite a few false positives. So, weeding through the logfiles can quickly become a fulltime job. If you do plan on enabling the IDS on the firewall, it is best to also use a "helper" application that will allow you to just view "threats" on your machine, such as logwatch.

Optimally, if you do have a large network, it is best to place an IDS server somewhere on your LAN so you can monitor for any suspicious activity that somehow makes it through your firewall. For more information on how to do this, there are two books available from the Bruce Peren's Open Source series at http://phptr.com/perens. The titles are "Open Source Security Tools" and "Intrusion Detection with Snort".

Testing and enhancing your Firewall

Testing and enhancing your Firewall
Testing your Firewall
One of the final things you should do before implementing a firewall solution is to ensure you fully test it to make sure it does what it is supposed to. You should run these tests on both sides of the firewall, the Internet side, as well as the LAN side. In order to properly test your firewall, there are a few applications available. The first application you should use would be a port scanner to ensure your firewall rules are in place. The most popular port scanner, NMAP is available for nearly any Operating System at http://insecure.org/nmap.

Another other tool that you should run on your firewall would be a vulnerability scanner. These tools will scan your server for known vulnerabilities, such as ones "script kiddies" would take advantage of. You can get a good vulnerabilitiy scanner called Nessus for Linux/Unix based machines from http://www.nessus.org.

Enhancing your Firewall
One of the great things about utilizing Mandrake Linux 10.1 for your firewall is the fact that there are so many packages available for it. It is very simple to add additional tools that would be beneficial for you run. A few of them would be:

ntop- Network traffic probe - this package is accessed through a web interface. Once installed you must ensure that the "/usr/share/ntop" directory has correct permissions, then add the following to /etc/sysconfig/ntop - extra_args="-i eth0,eth1 -M" to allow ntop to monitor both network interfaces. Then simply open http://ipaddress:3000 in your browser to utilize the program.

mrtg- Multi Router Traffic Grapher will monitor the traffic load on your firewall, also available through a web interface.

netwatch- terminal based network watching program. Simply type in "netwatch -e eth1" at a prompt to watch all the traffic going through your LAN interface.

All of these packages can be easily installed by running a "urpmi packagename", then after they are configured you will be able to take advantage of the software. There are hundreds other packages you could take advantage of, such as squid-log analyzers, packet sniffers, etc., all of these are only an urpmi away.

Note: It is extremely easy to add additional services to your firewall, such as a Mail, FTP or a Web Server, however, it is strongly discouraged to run anything but the "bare minimum" services on a firewall computer.

Conclusion
A firewall is one of the first things that you must consider when securing a network. There are many products available to handle this job, ranging from "Linux on a floppy" firewalls and low-cost "home firewall" devices, all the way to highly expensive Cisco Pix firewalls. However, if you want full functionality, Mandrake offers an easy to use web interface coupled with all the features you could want in a firewall (including VPN services), plus the expandability that comes with a complete commercial Linux distribution. All for a price that will not break your budget.

Link Teman :
Agus Santoso
Anita Sri Srep
Nur Hayati
Sigit Efendi

Sumber : http://www.flexbeta.net/main/printarticle.php?id=87

Labels: jaringan

Ditulis Oleh Riyadi, Monday, April 14, 2008 12:05:00 PM | 0 comments |

Setting up Mandrake 10.1 as a Firewall 2

Configuration Using the Web Interface
Once installation is complete and you have the httpd2-naat service running, you will want to log into your firewall remotely by using a web browser. The address you will need to use is:

https://IPADDRESS:8443/ - for example https://10.0.0.10:8443/If you run into a "connection refused" or any other similar error, the problem is that shorewall is enabled, but not yet configured. To fix this simply type the following at the Firewall Computer:

shorewall clearNote: While setting up your firewall, the software will automatically restart Shorewall in some instances. Until Shorewall is properly configured, you may need to run the "shorewall clear" command whenever you find that you cannot connect to the web interface on your firewall.

System Setup
To begin configuring your firewall, you must enter the system setup section, it will have you hit next to read the current settings. Unfortunately these scripts are a little outdated, so you will probably have an empty slate to start with, just click "apply". Again, if you get a connection refused error or similar, you must execute the "shorewall clear" command at the firewall to reconnect.

Continuing setup, go back into the "System Setup" section, click on modify and re-enter the system and domain name you will use. Then click on "Network Cards" and ensure that all of you network cards are detected and all the basic settings are correct.

Continuing down the line of the System Setup section, the Account section will allow you to change your password, the Alert section will allow you to change the system's log level, and Time will allow you to change the time zone and specify a ntp server to sync the time with. You will want to rerun the Time setup after you configure your Internet settings and Shorewall to ensure you will be able to connect to a time server.

Internet Settings
The Internet Access section allows you to configure how your firewall accesses the Internet as well as the settings required to connect. Most firewalls will use the Cable/LAN settings to connect to the Internet, so click on it and enter the required fields for your Internet connection, otherwise select the proper connection method and enter the appropriate settings.

Don't worry to much about the Internet status section, as it rarely works properly. Also on this page, the "Provider Accounts" will eventually allow you to setup commercial ISP settings, but for now it just tells you to use the Cable/Lan settings. The "Schedule" setting allows you to set the time where the firewall will be able to connect to the Internet if you are using a modem to dial into another server. If you want to adjust the schedule for Internet access using a LAN connection, you will only be able to do this if you enable the Squid Proxy service, and utilize Squidguard (accessed through the "Services" section, which will be covered later).

Firewall Rules

Firewall Rules
The Firewall Rules section is where you will be able to configure Shorewall to specify what traffic through your firewall will be allowed and denied. The first thing you must do is to setup your zones. By default there are 3 different zones; WAN, LAN and DMZ. These specify what type of connection each Network card will be connected to, most people will only use the WAN and LAN zones. So, you will want to specify the network card connected to the Internet as a "WAN" zone, and the network card connected to your private network as a "LAN" zone.

After setting up your network "zones", you will want to skip down to the default policies section. Default policies allow you to setup the default behavior for information traveling between different zones. Most of the default policies should be properly setup for you. One setting you may want to change, however, is the policy of traffic coming from the LAN zone to the Internet zone. By default, you must specifically allow any connection going through the firewall. This means that if your computers on the LAN interface try to access the Internet through a non-standard port (such as streaming video), the connection will be refused (and you will hear about it from the user). A very quick fix for this problem is to either:

A ) set the default policy to allow all connections originating from the LAN Interface
B ) specifically allow certain IP addresses full outgoing permissions

If you choose to deny Internet access through all but certain popular ports, be prepared to add lots of rules to the firewall in the first week or two. I usually go ahead and deny most ports, then add whatever ports are needed. If it gets to be quite a few for only one or two users, go ahead and create a rule that says anything coming from their IPs are allowed.

IP Masquerading
In order for the firewall to be able to "share" it's Internet connection, you must either setup IP Masquerading or setup a Proxy Server (or both). It is extremely easy to setup IP Masquerading with 2 Network cards using the web interface. Again, if you are planning on using the Squid Proxy server, you do not need to enable IP Masquerading for simple web browsing.

For masquerading using 2 network cards, simply click on Masq NAT, then enter the Network Interface you want to masquerade (LAN Interface), then the Network card connected to the Internet. Also, you could enter all the relevant IP Addresses instead of Network Interfaces, but for simple masquerading this is not necessary. From this screen, you can also setup advanced NAT rules, such as utilizing a DMZ, if this is needed.

Creating Firewall Rules
Firewall rules allow you to change the Default Policies (specified earlier) for certain circumstances. Firewall Rules also allow you to "Forward" any packets on a port to a different computer on the LAN, this is useful if you setup a server on your network that you want people to be able to access from the Internet. Also, if someone wants to play online games from behind the firewall, you will need to forward the traffic for that port to their computer's IP Address.

To create a rule that will allow access through a port, click on "add simple rule". This will bring up a dialog that has a drop down box of popular ports and applications. This dialog will allow you to create a simple "Allow" or "Deny" rule based on the port number, what protocol is being used, where the traffic is originating from, and where it is going to (for example coming from the LAN (local network) and going to the WAN (Internet).

Note: Even though the "add simple rule" has a forward check box, DO NOT use it to setup a port forwarding rule. This interface was created for Shorewall version 1.3.7 and Mandrake 10.1 uses Shorewall version 2.0.8, which has changed the way it forwards packets. If you do inadvertently check that box, Shorewall will refuse to start.

In order to create a port forwarding rule, you must go through the "Add Custom Rule" dialog. Simply enter all the relevant information, including the I.P. address of the computer you want the traffic to go to and make sure you select "DNAT" as the action. Then, after applying the Firewall Rules, port forwarding should work as expected.

After you setup all the relevant rules you want, it is now time to start the firewall service and ensure that your machines on the LAN are able to access the Internet through the firewall computer. On any computer that you wish to be able to access the Internet through the Firewall, adjust it's Network Settings so it will use the Firewall's IP address as the default Gateway address.

Note: Before you actually start the firewall service, you must delete the rule for port 20022, that rule is not formatted properly and Shorewall will not start with that rule in place. Also, if you are having difficulty in getting shorewall to start, go to the firewall computer and restart the Shorewall service manually using the command:

/etc/init.d/shorewall restartand watch the output. If shorewall fails to start it will tell you which rule is causing the problem. To fix it, simply do a "shorewall clear", login to the web config pages and delete any offending rules (recreate them if needed) and restart shorewall.

The other options available through the Firewall Rules section include:

Blacklists - allows you to specify hosts by IP or network that the firewall will simply drop its packets. This is good if you continually get messages in your logs for "questionable" activity coming from certain IPs.

TOS - allows you to define TOS service field in packet headers (advanced use).

Tunnels - allows you to setup IPSEC tunnels for secure communication between hosts (advanced use).

Sumber : http://www.flexbeta.net/main/printarticle.php?id=87

Labels: jaringan

Ditulis Oleh Riyadi, 11:44:00 AM | 0 comments |

Setting up Mandrake 10.1 as a Firewall 1

Installation
Preparing for Installation
For this installation I will be using an FTP install from one of Mandrake's Worldwide mirrors, as the downloadable 3-CD or DVD Images do not have the required packages. Note that even though this product is freely available under the GPL license, please either buy the full Mandrake distribution or join the Mandrake Club to ensure further development. Also, if you want commercial support for this firewall, Mandrake's MNF product is still available at their website.

In order to perform an FTP installation you must first create two diskettes that will be used for the install. Go to http://www.mandrakelinux.com/en/ftp.php3 and select a mirror to download the floppy images from. The diskette images will be located in the

./official/10.1/i586/install/imagesdirectory, the files you want are network.img and network_drivers.img.

To get these images onto a floppy under Linux, simply type

dd if=network.img of=/dev/fd0 bs=1024 conv=syncat a command prompt. Under Windows, you must also download a floppy image writer utility, which can be found in the

./official/10.1/i586/dosutilitydirectory, the file you want is rawritewin.exe. Once Downloaded, simply launch the application and locate the image file you want to write to a floppy.

Starting the Installation
Upon booting the computer with the network.img diskette, the installation routine should start and (hopefully) at least one of your network cards will be detected. Enter all the relevant information, such as IP Address, DNS and Gateway addresses that will allow you to download the software from an FTP server through your Internet connection.

The next step will be to select the installation type and either select an "Official" mirror, or enter the FTP server settings you want to use. If everything is correct, the graphical Installation program will be downloaded from the Internet and setup will continue. Depending on your connection speed, and the speed of the FTP server, this could take a while. If you are planning to "mass produce" these firewalls, it is best to setup a local mirror to speed up installation.

Once the graphical part of the installation starts, just step through the beginning settings of the installation, choosing what suits your machine. You will however want to choose "Higher" as the "Security Setting". Also once you get to package Selection, you must uncheck every "Package Group Selection" item and make sure you select "Individual Package Selection" before proceeding.

After you continue from the package selection screen, the installation program will ask you which minimum installation selection you want, usually it is a good idea not to run X on a firewall, so just select "with basic documentation", or "Truly minimal install" and continue on. When it asks for the packages you want to install, you will want to switch the package list to "flat" instead of group sorted, you do this by clicking on the arrows that look like a refresh button.

Now we will select the packages that will allow Mandrake 10.1 to act as a Firewall Device. First you must find and select "httpd2-naat", this will select this package as well as automatically select various other packages needed. Next you will want to select the "mnf-en" meta package that will select most of the other needed packages. Note: You must select httpd2-naat before you select mnf-en, otherwise it will try to use settings for apache ver 1.x instead of apache ver 2.x, thus the software will not work. The only other mandatory package you must select is naat-frontend-www-doc, although you may want to select other packages, such as "slocate" or "kernel-secure" (recommended) depending on your preferences. Just remember that this is a firewall, and the fewer packages you install the better.

As you continue the install, when it asks for users, ensure that you create the "admin" user, as well as one other user that you will use to login to the firewall. The admin user will be the user that you will use to login to the web configuration page. Also, when you configure services that start on boot, make sure you select any that your computer may need to boot, as well as the httpd2-naat service and possibly ssh if you want to remotely login.

After the first boot
After the install is done and you reboot the computer, you will notice that many services might have failed, even the httpd2-naat service will fail. To get the httpd2-naat service to work, you need to update the SSL certificates. You can do this by issuing the following command, (as root, in the /root directory):

/usr/lib/ssl/apache2-mod_ssl/gentestcrt.shThis script will ask you a few questions before it generates the required SSL Certificates, so you can either enter the information, or just hit enter through all the questions and the certificates will be created. Now, copy the certificates to the correct place:

cp server.* /etc/ssl/apache2Before httpd2-naat will actually run, you must edit one of the apache configuration files, "/etc/httpd/conf.d/51_ssl.httpd2-naat-vhost.naat". Within that file, wherever it says:

"/etc/ssl/apache/server.crt" and "/etc/ssl/apache/server.key"change it to

"/etc/ssl/apache2/server.crt" and "/etc/ssl/apache2/server.key"Once you are done editing that file, go ahead and try to restart the httpd2-naat services with:

/etc/init.d/httpd2-naat restartNow the service should start and you should now be able to remotely log into the web based configuration pages.

Sumber : http://www.flexbeta.net/main/printarticle.php?id=87

Labels: jaringan

Ditulis Oleh Riyadi, 11:29:00 AM | 0 comments |

Nonton TV Lewat Internet

Sekarang ini jarang banget aku nonton TV, g sempat lihat acara-acara di TV (sok sibuk kali he he he he). Lebih asyik di dunia maya, he he he. Maklum orang desa jadinya kagum ma Dunia Maya (g nyambung lagi). Emang sih TV banyak banget kasih beragam acara yang ditanyangkan tiap waktu bahkan tiap menit. Tapi aku emang malas kalo lama-lama di depan TV, bahkan jarang bisa nonton TV (pulang malem terus nih, he he he ). Tapi sekarang g gitu, tanpa TV aku bisa nonton TV dimanapun dan kapanpun dengan koneksi internet. Aku sudah coba nonton TV dengan koneksi dari Jardiknas yang lumayan bandwithnya, dan acara-acara TV yang muncul tidak pernah putus-putus (alias pedot-pedot). Aku tinggal buka browser dan masukin URL http://www.imediabiz.tv/ jadi deh TV yang siap menayangkan berbagai macam acara.

Dengan URL itu aku bisa melihat berbagai acara TV yang disediakan, disitu juga ada beberapa chanel TV, diantaranya RCTI, SCTV, INDOSIAR, TRANS TV, METROTV, TRANS7. Pokoknya keren-keren acaranya, dan itu pun baru aku buka dengan bandwith dari Jardiknas. Bagaimana dengan bandwith-bandwith yang lain?

Sumber : www.toha.co.nr

Labels: acara